Enpass Password Manager

Enpass Password Manager 5 is a big improvement over the edition we tested previously, but it still won't challenge the best free password managers. Note, too, that you must pay if you want to use it on mobile devices.

Passwords are terrible in so many ways, but we rely on them for authentication because we don't have a better universal solution. Poor password habits can set you up for identity theft, actual theft of your online assets, or worse. Using a password manager frees you from the painful task of remembering a unique, strong password for every website. Even so, the process needs to be as slick and automated as possible. The free Enpass Password Manager includes the expected ability to automatically capture credentials as you log in to secure sites, and almost-automatically replay those credentials. It has gained some new features since my previous review, but still lags the best free password managers in both advanced features such as account inheritance and basic features such as web form filling.

Enpass supports an impressive collection of platforms: Windows, Mac OS, Linux, iOS, Android, and Universal Windows Platform (UWP). (The company discontinued BlackBerry support in 2017). You can use it at no cost on as many desktops as you like. However, if you want to use it on Android, iOS, or UWP, you must pay a $9.99 fee for each platform. Once you've paid on a given platform, you have a lifetime license to use Enpass on all your devices of that type.

Years ago, using LastPass on mobile devices required a premium license. Then, for a while, the free edition limited you to using one type of device, desktop, smartphone, or tablet. But at present, you can install LastPass on every Windows, macOS, Linus, Android, or iOS device you own, without paying an extra fee. The same is true of LogMeOnce and most other free password managers.

Getting Started

Dashlane, LastPass, Keeper, and many other password managers keep your encrypted data in the cloud, syncing it with local devices as needed. Enpass doesn't swing that way. It stores your passwords and other info locally, with a variety of options for syncing between devices. Most likely you'll set it up to sync through one of the popular cloud storage services. Like Sticky Password Premium£9.99 at Special Offer - SEE IT!, Enpass includes the option to sync only across your home Wi-Fi network. You can use a shared network folder for syncing. Finally, if you are a total geek, you can use WebDAV/ownCloud.

Using local-only storage means you never set up an account with Enpass. You simply install the app for the platform you're using and indicate whether you're setting up as a new user or restoring existing data. For your first installation, you have to create a strong master password. Like many other password managers, Enpass warns that if you forget the master password, there's no way to get back your data.

If you don't want to sync passwords with other devices, you're done. But if you do, you need to set up syncing using the method of your choice. For installations on other devices, you choose that same sync method and enter your master password. If you're using cloud storage, I advise protecting that cloud storage account with two-factor authentication, something Enpass itself doesn't use.

In a desktop installation, Enpass uses the familiar three-column layout. The left column offers a menu of item types. The middle column lists items of the selected type. And the right column displays details of the selected item. It looks remarkably similar to AgileBits 1Password, though there's no actual connection. Enpass uses site-specific icons for certain popular sites and a generic icon for the rest.

Import Options

KeePass, LastPass, 1U Password Manager, and many others help you get started by importing passwords stored in your browsers. It's definitely a good idea to turn off browser-based password storage once you have a password manager installed.

Enpass doesn't automate import of passwords from your browsers, but it does offer import from Dashlane, LastPass, RoboForm, Keeper, and about two dozen others. Howver, when I looked at the list I noticed many unfamiliar names. Indeed, less than half were among those I've reviewed. Digging deeper, I found that, just as with Ascendo DataVault Password Manager, many of the options for import were useless. Some products had reached end-of-life, others came from companies that no longer exist, and quite a few seemed to be tiny operations. When I tried to visit the site for one product, Norton identified the page as malicious, the same as with DataVault.

There's no actual harm in the outdated items in the import list. However, their presence makes me wonder what else in Enpass might be out of date.

Browser Extensions

On its own, the Enpass application just serves to store and sync your passwords and personal data. If you want it to capture and replay your passwords, you must install its browser extensions. Enpass offers extensions for Chrome, Edge, Firefox, Opera, and Safari. Unlike many competing products, Enpass doesn't detect the browser you're using and offer the appropriate extension.

The browser extensions are totally reliant on the main app. If you shut it down, they don't work. On the flip side, if the main app is running, that proves you've entered the master password. Since my last review, Enpass offers quick PIN-based unlocking that only works when the main app is running. That's smart.

With a browser extension enabled, Enpass can capture your credentials as you log in to each secure site. You can give the login a friendly name at capture time, but you must go into the main application if you want to put it in a folder.

Password playback isn't as automated as with most password managers. There's no automatic filling in of credentials when you revisit a site. However, if you click the browser toolbar button you see a menu of credentials for the current site. You can also press the magic key combination Ctrl+/ to fill available credentials. If you've stored multiple sets of credentials, Enpass pops up a menu so you can choose. 1Password works in almost exactly the same way, but it's magic key is Ctrl+\.

I found that for two-page logins like Amazon and EventBrite, Enpass captured the password but not the username. After I edited the entries to add the username, it did successfully log in to these sites.

Symantec Norton Identity Safe, LastPass, and many other password managers let you click the toolbar button to get a menu of available logins. When you click one, it automatically opens and the password manager logs in. Here again, Enpass is a bit different. Clicking the toolbar button just shows you recent logins. If you want to navigate to an arbitrary saved site, you must use the search function.

The browser plug-ins will handle most of your interaction with Enpass, but certain tasks can require the desktop application. This is where you go to edit saved logins, assign them to existing or new folders, mark them as favorites, change their icons, and so on. Folders and subfolders show up in the left column, and you can drag items and subfolders to arrange them. With LastPass and many others, folders and subfolders become menus and submenus reached by clicking the toolbar button. As noted, Enpass doesn't work that way.

Password Generator

You can launch the password generator by clicking the Enpss toolbar button or by launching it from the main application. I'm impressed that Enpass default to a password length of 18 characters, even longer than LogMeOnce's default of 15 characters. Generated passwords should be long—you don't have to remember them! But the default in some products is ridiculously short. 1U Password Manager, for example, generates six-character passwords by default. Myki defaults to an impressive 30 characters.

Most password generators let you configure which character sets to use: lowercase letters, uppercase letters, digits, and symbols. Enpass goes a bit beyond that, with a recipe that specifies the precise number of digits, symbols, and uppercase letters. Lowercase letters fill in the rest.

The problem is that the recipe numbers don't change automatically as you change password length. If you increase the length without changing the recipe, you're only adding lowercase letters. If you decrease it below the sum of the numbers in the recipe, character sets start to vanish, first lowercase letters, then uppercase letters, then symbols. When you go too low, you get nothing but digits. Note, too, that requiring specific numbers of various character types vastly reduces the pool of possibilities, compared with generating truly random passwords.

My advice—pick the password length you want, or go with the default of 18 characters. Check the recipe to make sure you're getting a good mix of all character types. Then leave it alone. Don't make any changes, unless you're willing to recalculate the recipe.

Personal Data

Enpass can store a vast number of different types of personal data. You can store credit card details and other financial account details. Computer-related items include email accounts, FTP accounts, and wireless router details. Licenses, secure notes, flight and hotel details for travel, the list goes on.

The Miscellaneous category includes over two dozen types of data, among them clothing sizes, prescription information, reward program accounts, and more. Anything you enter gets synced to all your devices, which is handy. But unlike most password managers, Enpass won't help you out by filling Web forms with stored data.

Secure Sharing

In general, sharing passwords with others isn't a great idea, but sometimes it makes sense. For example, you might share the login to a joint bank account. As long as the other user also has Enpass installed, sharing is pretty simple.

In the desktop edition, you select the item, click the share arrow, and select email. Enpass creates an email message containing an encrypted data block representing your credentials. Note that this only works if you have an email client installed and configured. On a mobile device, you get additional options for sharing, including saving the shared information to a text file in cloud storage. Be sure you don't check the box titled Plain Text.

LastPass and LogMeOnce Password Management Suite Premium also offer secure sharing, with the ability share credentials while hiding the password itself from view. They also let you revoke sharing. 1U users can share passwords, but only in the mobile edition. With Enpass, sharing is a single, one-way transaction. Once the data is shared, it's out of your hands. Still, many free password managers don't offer secure sharing at all.

One-Time Authentication Codes

As noted, Enpass doesn't support two-factor authentication, but it can help you with websites that use time-based one-time passwords, or TOTP, for a second layer of authentication. That's new since my previous review. Dashlane and 1Password also offer this feature, and it's a prime component of Myki Password Manager & Authenticator. If a site says it supports Google Authenticator, you can use Enpass instead.

However, It's not at all obvious how to set up TOTP for a site. It turns out you must first create a login for the site in question, then open the login for editing and add a TOTP field. If you're using an iOS device, you can scan the site's QR code. On a desktop, you must copy and paste the secret key that corresponds to that QR code. 1Password handles the connection more gracefully, using a window with a transparent section that you position over the QR code.

Password Audit

The Password Audit feature in the Enpass application lists weak passwords and duplicate passwords. It also lists old passwords, meaning ones that haven't been changed in the last one, two, or three months.

Fixing weak passwords and dupes is a manual process. You go log in to the site, perform the password change operation (using a strong password generated by Enpass) and let Enpass capture the change. Repeat until there are no more weak passwords or duplicates.

The similar feature in Dashlane, LastPass, and LogMeOnce is an actionable, interactive report. You click a link to go directly to the site or, for supported sites, have the password manager automatically make the change for you.

Handles the Basics

Enpass Password Manager handles automated password capture, as well as almost-automated password replay. It can now function as an authenticator app for websites that are compatible with Google Authenticator. You can now attach files or photos to any saved item. However, it still doesn't help with filling web forms, and if you want to use it on your mobile devices, it isn't free.

LastPass and LogMeOnce Password Management Suite Premium offer unlimited free usage on all your devices. Both have a significantly broader feature set than Enpass, including the option to pass along your account to your inheritors. These two are our Editors' Choice products for free password management.

Enpass Password Manager

good

Bottom Line: Enpass Password Manager handles basic password management tasks and now generate two-factor authentication codes. It can't challenge the best free password managers, however, because it lacks abilities like web form filling and account inheritance.

Pros

Cons

Not free for mobile use.
No support for Internet Explorer.
No web form filling.
No account inheritance.

Bottom Line

Enpass Password Manager handles basic password management tasks and now generate two-factor authentication codes.
It can't challenge the best free password managers, however, because it lacks abilities like web form filling and account inheritance.